CVE-2015-5954

Name of the Vulnerable Software and Affected Versions ownCloud Server versions prior to 6.0.9 ownCloud Server versions 7.0.x prior to 7.0.7 ownCloud Server versions 8.0.x prior to 8.0.5

Description The virtual filesystem in ownCloud Server does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users' files via a sharing link to a file with a deleted parent folder. This issue is related to a lack of checking of returned data in the virtual filesystem, allowing a remote attacker to circumvent existing access restrictions.

Recommendations For ownCloud Server versions prior to 6.0.9, update to version 6.0.9 or later. For ownCloud Server versions 7.0.x prior to 7.0.7, update to version 7.0.7 or later. For ownCloud Server versions 8.0.x prior to 8.0.5, update to version 8.0.5 or later.